Stuxnet Flaw Finally Gets Patched After More Than 4 Years
Microsoft today issued a patch for a critical vulnerability thought to have been fixed more than four years ago. The flaw had enabled the notorious Stuxnet attack back in 2010.Microsoft released its Patch Tuesday update today, providing a fix for a flaw that enabled the notorious Stuxnet attack. Most people in the world thought the vulnerability had been fixed back in 2010. The Stuxnet worm was an exploit that was used against a nuclear facility in Iran back in 2010, in part by taking advantage of a vulnerability in Windows. The vulnerability that enabled Stuxnet was identified as CVE-2010-2568, which was thought to have been patched by Microsoft in October 2010. More than four years later, Hewlett-Packard's (HP) Zero Day Initiative (ZDI) has discovered that the CVE-2010-2568 fix was not, in fact, complete and the underlying vulnerability has remained exploitable the whole time. "HP's Zero Day Initiative reported this issue to Microsoft on Jan. 8, 2015," Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK. ZDI has a 120-day disclosure policy, whereby it will publicly disclose issues that have been reported to vendors after 120 days, if a patch has not been released. By releasing a patch now, Microsoft is well within the 120-day deadline, which highlights the severity of the issue, Gorenc explained.
The proof-of-concept code exploits that HP's ZDI provided to Microsoft on the security flaw were designed to bypass the validation checks put in place by MS10-046, the bulletin released in 2010 to patch CVE-2010-2568, he adi. Rather than update the CVE-2010-2568 vulnerability information, a new identifier has been assigned with CVE 2015-0096 to encompass the expanded impact.